Interprocedural Analysis: Sharir-Pnuelis Call-strings Approach - PowerPoint PPT Presentation

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Interprocedural Analysis: Sharir-Pnueli’s Call-strings Approach Deepak D’Souza Department of Computer Science and Automation Indian Institute of Science, Bangalore. 04 September 2013

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Outline Motivation 1 Call-strings method 2 Correctness 3 Approximate call-string method 4 Bounded call-string method 5

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Handling programs with procedure calls How would we extend an abstract interpretation to handle programs with procedures? main(){ f(){ g(){ x := 0; x := x+1; f(); f(); return; return; g(); } } print x; }

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Handling programs with procedure calls How would we extend an abstract interpretation to handle programs with procedures? main(){ f(){ g(){ x := 0; x := x+1; f(); f(); return; return; g(); } } print x; } Question: what is the collecting state before the print x statement in main ?

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Handling programs with procedure calls main f g Add extra edges call edges: from A J F H call site ( call D x:=x+1 x := 0 call f p ) to start of G B procedure ( p ) I ret ret call f ret edges: from E return statement L (in p ) to point call g after call sites K (“ret sites”) ( call p ). print x C

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Handling programs with procedure calls Assume variables are uniquely named main f g across program. Transfer functions A J F H for call/return D x:=x+1 x := 0 call f edges? B G I ret ret call f E L call g K print x C

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Handling programs with procedure calls Assume variables are uniquely named main f g across program. Transfer functions A J F H for call/return D x:=x+1 x := 0 call f edges? Identity if B G I we assume no ret ret call f parameters/return E L values; else treat call g like assignment K statement. print x C

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Handling programs with procedure calls Assume variables are uniquely named main f g across program. Transfer functions A J F H for call/return D x:=x+1 x := 0 call f edges? Identity if B G I we assume no ret ret call f parameters/return E L values; else treat call g like assignment K statement. Now compute JOP print x C in this extended control-flow graph.

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Problem with JOP in this graph Ex. 1. Actual collecting state at C? main f g A J F H D x := 0 x:=x+1 call f G B I ret call f ret E L call g K print x C

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Problem with JOP in this graph Ex. 1. Actual collecting state at C? { x �→ 2 } . main f g A J F H D x := 0 x:=x+1 call f G B I ret call f ret E L call g K print x C

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Problem with JOP in this graph Ex. 1. Actual collecting state at C? { x �→ 2 } . Ex. 2. JOP at C for the main f g collecting semantics A J F abstract interpretation? H D x := 0 x:=x+1 call f G B I ret call f ret E L call g K print x C

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Problem with JOP in this graph Ex. 1. Actual collecting state at C? { x �→ 2 } . Ex. 2. JOP at C for the main f g collecting semantics A J F abstract interpretation? H D x := 0 x:=x+1 call f { x �→ 1 , x �→ 2 , x �→ G B 3 , . . . } . I ret call f ret E L call g K print x C

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Problem with JOP in this graph Ex. 1. Actual collecting state at C? { x �→ 2 } . Ex. 2. JOP at C for the main f g collecting semantics A J F abstract interpretation? H D x := 0 x:=x+1 call f { x �→ 1 , x �→ 2 , x �→ G B 3 , . . . } . I ret call f ret JOP is sound but E very imprecise. L call g Some paths don’t K correspond to executions of the print x program: Eg. C ABDFGILC.

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Problem with JOP in this graph Ex. 1. Actual collecting state at C? { x �→ 2 } . Ex. 2. JOP at C for the main f g collecting semantics A J F abstract interpretation? H D x := 0 x:=x+1 call f { x �→ 1 , x �→ 2 , x �→ G B 3 , . . . } . I ret call f ret JOP is sound but E very imprecise. L call g Some paths don’t K correspond to executions of the print x program: Eg. C ABDFGILC. What we want is Join over “Interprocedurally-Valid” Paths (JVP).

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Interprocedurally valid paths and their call-strings Informally a path ρ in the extended CFG G ′ is inter-procedurally valid if every return edge in ρ “corresponds” to the most recent “pending” call edge. For example, in the example program the ret edge E corresponds to the call edge D . The call-string of a valid path ρ is a subsequence of call edges which have not been “returned” as yet in ρ . For example, cs ( ABDFGEKJHF ) is “ KH ”.

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Interprocedurally valid paths and their call-strings A path ρ = ABDFGEKJHF in IVP G ′ for example program: 3 2 1 0 A B D F G E K J H F Associated call-string cs ( ρ ) is KH . For ρ = ABDFGEK cs ( ρ ) = K . For ρ = ABDFGE cs ( ρ ) = ǫ .

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Interprocedurally valid paths and their call-strings More formally: Let ρ be a path in G ′ . We define when ρ is interprocedurally valid (and we say ρ ∈ IVP ( G ′ )) and what is its call-string cs ( ρ ), by induction on the length of ρ . If ρ = ǫ then ρ ∈ IVP ( G ′ ). In this case cs ( ρ ) = ǫ . If ρ = ρ ′ · N then ρ ∈ IVP ( G ′ ) iff ρ ′ ∈ IVP ( G ′ ) with cs ( ρ ′ ) = γ say, and one of the following holds: N is neither a call nor a ret edge. 1 In this case cs ( ρ ) = γ . N is a call edge. 2 In this case cs ( ρ ) = γ · N . N is ret edge, and γ is of the form γ ′ · C , and N corresponds 3 to the call edge C . In this case cs ( ρ ) = γ ′ . We denote the set of (potential) call-strings in G ′ by Γ. Thus Γ = C ∗ , where C is the set of call edges in G ′ .

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Join over interprocedurally-valid paths (JVP) Let P be a given program, with extended CFG G ′ . Let path I , N ( G ′ ) be the set of paths from the initial point I to point N in G ′ . Let A = (( D , ≤ ) , f MN , d 0 ) be a given abstract interpretation. Then we define the join over all interprocedurally valid paths (JVP) at point N in G ′ to be: � f ρ ( d 0 ) . ρ ∈ path I , N ( G ′ ) ∩ IVP ( G ′ )

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method One approach to obtain JVP Find JOP over same graph, but modify the abs int. main f g Modify transfer A J F functions for H D x:=x+1 x := 0 call f call/ret edges to B G detect and I invalidate invalid ret ret call f E edges. L Augment call g K underlying data values with some print x information for this. C Natural thing to try: “call-strings”.

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Overall plan Define an abs int A ′ which extends LFP ( G ′ , A ′ ) given abs int A with call-string data. Show that JOP of A ′ on G ′ coincides with JVP of A on G ′ . Use Kildall (or any other technique) to compute LFP of A ′ on G ′ . This value JOP ( G ′ , A ′ ) JVP ( G ′ , A ) over-approximates JVP of A on G ′ .

Motivation Call-strings method Correctness Approximate call-string method Bounded call-string method Call-string abs int A ′ : Lattice ( D ′ , ≤ ′ ) Elements of D ′ are maps ξ : Γ → D ǫ c 1 c 1 c 2 c 1 c 2 c 2 ξ : d 0 d 1 d 2 d 3 Ordering on D ′ : ≤ ′ is the pointwise extension of ≤ in D . That is ξ 1 ≤ ′ ξ 2 iff for each γ ∈ Γ, ξ 1 ( γ ) ≤ ξ 2 ( γ ). ǫ c 1 c 1 c 2 c 1 c 2 c 2 ξ 1 ⊔ ξ 2 : d 0 ⊔ e 0 d 1 ⊔ e 1 d 2 ⊔ e 2 d 3 ⊔ e 3 ǫ c 1 c 1 c 2 c 1 c 2 c 2 ǫ c 1 c 1 c 2 c 1 c 2 c 2 ξ 1 : ξ 2 : d 0 d 1 d 2 d 3 e 0 e 1 e 2 e 3